Skip to Content
0
Jul 28, 2008 at 06:25 AM

Nested Permissions on KM folders

27 Views

Guru's,

I have the following query...

In our dedicated BI Portal (that for UME is also connected to SAP BI) we created in KM folders per Companycode. There are aprox 150 seperate companies in this Organization. Every company must only have access to there dedicated company folder in KM. We already implemented the just mentioned by creating single-roles for every companycode and asign them programmatically to the users. Then in KM set the permissions on the dedicated company folders based on this single-role (that is visible as a group in the portal).

The mother organization has defined the roles (like: director, controller, manger etc). These roles are shared by all companies (so not every company has its own set of roles as they all work the same way and are organized the same way). These roles are composite roles and are also asigned programmatically to the users. So this means for example Managers of every company are linked to the role "Manager" but as mentioned before they all seperate are assigned a single role per company.

Now comes the tricky part...

Within the dedicated KM folders per company we want to authorize on roles. Now if we just set the read-permission on the dedicated company folder (lets say 12345) then all employees of Comany 12345 can see all the content. If we set additional permissions per role (lets say Manager) on a document called xyz.doc then still every other employee of that company code can see it. Now you might think that because the dedicated company folder already takes care of the company permissions you can remove the inherited company permissions of the document xyz.doc... This seems to do the trick as only the Manager of Company 12345 can see document xyz.doc...

But there is a security issue with this because all managers of all companies are assigned the role "Manager" they now could access document xyz.doc if they know the url to it... so this aint 100% save.

Offcourse we could create company specific composite roles but that would be unmaintainable (150 companies X 30 roles = 4500 company specific roles)...

So my question to you guru's is how to solve this query? If possible with usage of default components/configuration (so without programming)...

Thanks in advance!

Benjamin Houttuin